How did it go from "He even performed a backup/mirror of several dozen of our repositories." to "He deleted part of our repository from GitHub. (..) [He published] an empty package in the cooker repository, which obsoleted all gnome and cosmic packages."?
I feel like there's a few steps missing there. How does it go from "a new person joins the community" to "he's able to nuke everything"? Sure, he might be reasonably well-known, but in the post it doesn't sound like he was a core maintainer, or even a very active community member. Do they just randomly hand out admin access to anyone?
It's hard to maintain open source software that needs infrastructure. Everyone is a volunteer and it's not like the Mandriva project has the resources to fully vet people as well as have a high quality RBAC and access control system. This guy sounds like maintained a large project, offered to help, and Mandriva saw the Trojan horse as a way to alleviate a lot of their problems.
And it didn't sound like he was able to "nuke everything" - it sounds like he had access to their repository infrastructure (which is reasonable given he was volunteering to host it) and then lashed out.
If anything, I think it's a bigger organizational red flag that they agreed to privately host their source code on some random git forge and not a larger, more communal one. I mean, even if they didn't want to use GitHub (did this even cost money for them) then there are other providers to choose from.
It just sounds like the Mandriva maintainers are trusting and good folk who may be overworked running an open source project and that led to a bad apple entering the bunch. It's hard for me to be mad in that kind of situation.
> How did it go from "He even performed a backup/mirror of several dozen of our repositories." to "He deleted part of our repository from GitHub
What's unclear? This guy was part of the project for some time and got maintainer trust. Then he brings in his mate. His mate is a crap person and gets kicked out of the project. The original guy then goes bananas and nukes stuff.
There aren’t, they just don’t write it because it’s shameful for them. They trusted a man who brought two more people in, and they thought they were sheriffs.
I had no idea mandriva/openmandriva still existed. I still have a mandrake cd somewhere, mostly because I cannot seem to be able to depart from physical media :)
Every time someone actively approaches you with an offer to spend their real energy and lifetime on your thing, It's almost always about leverage in some way.
At least if there is actual work attached to it.
Money alone might be paid by people that just have too much of it or want to feel better about something.
But if they actively involve themselves to a degree that goes way beyond scratching their own itch, something's up.
You might get lucky and find a just genuinely good person, but you might also not.
i mean, they're succeeding. whether it's coordinated or not the conclusion is the same.
but i think "linux distributions are dangerous" is the wrong conclusion. the right one is to treat each distribution based on their own security practices, and not "linux" as a whole. one distro's bad practices doesn't make others unsafe any more than one distribution's good practices make other safe.
The real takeaway for projects and companies should be that someone having historically behaved in a logical and responsible way doesn’t guarantee that they’ll continue to do that for forever.
Good security architecture has circuit breakers, even for people who are generally high-trust.
Me too. It was my first Linux back in 2003 and I was immediately hooked. Back then codecs weren't as much of an issue as they were in the late 2000s to early 2010s so everything worked out of the box and the performance on Pentium 4 with 128 MB RAM was phenomenal compared to Windows XP.
How did it go from "He even performed a backup/mirror of several dozen of our repositories." to "He deleted part of our repository from GitHub. (..) [He published] an empty package in the cooker repository, which obsoleted all gnome and cosmic packages."?
I feel like there's a few steps missing there. How does it go from "a new person joins the community" to "he's able to nuke everything"? Sure, he might be reasonably well-known, but in the post it doesn't sound like he was a core maintainer, or even a very active community member. Do they just randomly hand out admin access to anyone?
It's hard to maintain open source software that needs infrastructure. Everyone is a volunteer and it's not like the Mandriva project has the resources to fully vet people as well as have a high quality RBAC and access control system. This guy sounds like maintained a large project, offered to help, and Mandriva saw the Trojan horse as a way to alleviate a lot of their problems.
And it didn't sound like he was able to "nuke everything" - it sounds like he had access to their repository infrastructure (which is reasonable given he was volunteering to host it) and then lashed out.
If anything, I think it's a bigger organizational red flag that they agreed to privately host their source code on some random git forge and not a larger, more communal one. I mean, even if they didn't want to use GitHub (did this even cost money for them) then there are other providers to choose from.
It just sounds like the Mandriva maintainers are trusting and good folk who may be overworked running an open source project and that led to a bad apple entering the bunch. It's hard for me to be mad in that kind of situation.
> How did it go from "He even performed a backup/mirror of several dozen of our repositories." to "He deleted part of our repository from GitHub
What's unclear? This guy was part of the project for some time and got maintainer trust. Then he brings in his mate. His mate is a crap person and gets kicked out of the project. The original guy then goes bananas and nukes stuff.
There aren’t, they just don’t write it because it’s shameful for them. They trusted a man who brought two more people in, and they thought they were sheriffs.
I had no idea mandriva/openmandriva still existed. I still have a mandrake cd somewhere, mostly because I cannot seem to be able to depart from physical media :)
I feel like this is kinda sorta to be expected.
Every time someone actively approaches you with an offer to spend their real energy and lifetime on your thing, It's almost always about leverage in some way.
At least if there is actual work attached to it.
Money alone might be paid by people that just have too much of it or want to feel better about something.
But if they actively involve themselves to a degree that goes way beyond scratching their own itch, something's up.
You might get lucky and find a just genuinely good person, but you might also not.
expected? how often? We've had 30ish years of history on it it, and such things have been really rare.
Nearly a month ago AUR malware happen, now this - it starts to feel like there's some organized attempt to paint Linux distros as dangerous.
i mean, they're succeeding. whether it's coordinated or not the conclusion is the same.
but i think "linux distributions are dangerous" is the wrong conclusion. the right one is to treat each distribution based on their own security practices, and not "linux" as a whole. one distro's bad practices doesn't make others unsafe any more than one distribution's good practices make other safe.
The real takeaway for projects and companies should be that someone having historically behaved in a logical and responsible way doesn’t guarantee that they’ll continue to do that for forever.
Good security architecture has circuit breakers, even for people who are generally high-trust.
TIL Mandriva/Mandrake Linux is still around.
Me too. It was my first Linux back in 2003 and I was immediately hooked. Back then codecs weren't as much of an issue as they were in the late 2000s to early 2010s so everything worked out of the box and the performance on Pentium 4 with 128 MB RAM was phenomenal compared to Windows XP.
I'm so glad the project is still around.
"should have" "could have". Geez. This was malicious. Take legal action already!